Route-to nat same interface (source based routing + NAT)



  • Hello,

    I would like to have a route group for two outgoing ISP. The issue is that when the traffic should be routed to the ip of the same interface, the nat is not applied.
    Here a POC:

    I have this scenario:
    em0 172.16.22.1
    em0 alias 172.16.99.1
    pppoe0 ip public of one ISP

    nat
    nat on pppoe0 inet from 172.16.99.0/24 to any -> XX.XX.XXXX port 1024:65535 (where XX.xx..it's the public ip of the provider
    nat on em0 inet from 172.16.99.0/24 to any -> 172.16.22.1 port 1024:65535

    pass in log quick on em0 route-to (pppoe0 XX.xx.xx.xx) inet from 172.16.99.0/24 to any flags S/SA keep state label "USER_RULE: a"

    this is working, fine, my packets originated from 172.16.99.0/24 net are routed to pppoe0 and natted according the rules.

    BUT if I change this rule (so I simply changed the next-hop)
    pass in log quick on em0 route-to (em0 172.16.22.99) inet from 172.16.99.0/24 to any flags S/SA keep state label "USER_RULE: a"

    the rule is passed (logged) but no nat is applied at all!?! why?!

    I tried also another POC: with these pf only rule this POC work:
    nat on em0 inet from 172.16.99.0/24 to any -> 172.16.22.1 port 1024:65535
    pass out log on em0 route-to (em0 172.16.22.99) inet proto tcp from 172.16.99.0/24 to any flags S/SA keep state

    But if i replicate these rule in pfsense, it's not working because it drop by default all, so I should apply an pass rule like this:
    pass in log on em0 inet proto tcp from 172.16.99.0/24 to any
    but with that … no packets are matched by pass out rule!

    If i replicate this POC with 172.16.99.0/24 configured on another physical interface instead on the alias interface there are no problems!|

    What do you think?

    I'm going crazy...